Google Cloud CLI (gcloud) — IAM & Permissions Cheat Sheet 2026

Google Cloud CLI (gcloud) IAM & Permissions Cheat Sheet is the complete quick-reference of Google Cloud CLI (gcloud) IAM & Permissions commands grouped by function. Copy any command with one click and find what you need with Ctrl+F in under 3 seconds.

IAM & Permissions

Action	Command	Useful flags
List all properties in one’s active configuration	`gcloud config list`
Login to a Google account	`gcloud auth login`
Set the active project	`gcloud config set project <project_name>`
Create a service account	`gcloud iam service-accounts create <service-account-name> --display-name <display-name>`	`--display-name`
List service accounts	`gcloud iam service-accounts list`	`-accounts`
List keys for a service account	`gcloud iam service-accounts keys list --iam-account <email>`	`--iam-account`
Add IAM policy binding to a project	`gcloud projects add-iam-policy-binding <project-id> --member <member> --role <role>`	`--member --role`
Get IAM policy for a project	`gcloud projects get-iam-policy <project-id>`	`-iam-policy -id`
List predefined IAM roles	`gcloud iam roles list`
Create a custom IAM role	`gcloud iam roles create <role-id> --project <project-id> --title <title> --permissions <permissions>`	`--project --title --permissions`

⚠️ Dangerous / Destructive Commands

These commands are irreversible. Verify your environment (dev/staging vs prod) before running them.

Action	Command	Warning
⚠️ Destroy ⚠️	`terraform destroy -auto-approve`	Irreversible — verify the target before running
⚠️ Delete	`kubectl delete namespace production`	Irreversible — verify the target before running
⚠️ Prune ⚠️	`docker system prune -af --volumes`	Irreversible — verify the target before running
⚠️ Delete	`pvesh delete /nodes/{node}/qemu/{vmid}`	Irreversible — verify the target before running
⚠️ Delete	`az group delete --name MyResourceGroup --yes`	Irreversible — verify the target before running

FAQ — Frequently Asked Questions

What is the difference between IAM & Permissions and the other groups?

Each group in this Google Cloud CLI (gcloud) cheat sheet covers a distinct area. IAM & Permissions focuses on its specific scope, while the other groups and the remaining groups cover networking, storage, security and diagnostics respectively.

How do I check the installed Google Cloud CLI (gcloud) version?

Run the version command (usually gcloud version or gcloud --version). The output shows the client and, when applicable, the server version.

Why does Google Cloud CLI (gcloud) return ‘permission denied’?

A ‘permission denied’ error in Google Cloud CLI (gcloud) usually means the current user lacks sufficient privileges or credentials are not configured. Check: (1) assigned IAM/RBAC roles, (2) an active authentication context via the corresponding login command.

How do I filter Google Cloud CLI (gcloud) output by status or name?

Use flags such as --filter, --selector or --query depending on the tool. You can also pipe into grep or jq to process JSON:

gcloud list | grep RUNNING

What is the fastest way to debug a Google Cloud CLI (gcloud) error?

Add the verbose flag (--verbose, -v or --debug) to the failing command. This reveals the underlying HTTP/API calls and the full error response body.

Official sources & references

Commands cross-checked against vendor documentation and high-authority repositories: